[bind10/f19] Run BIND10 as named user (use setcap for dhcp servers for now)
Tomas Hozza
thozza at fedoraproject.org
Mon Nov 18 12:10:27 UTC 2013
commit cd075f738ed06559178ec15a701b5c93586889fd
Author: Tomas Hozza <thozza at redhat.com>
Date: Fri Nov 15 10:04:56 2013 +0100
Run BIND10 as named user (use setcap for dhcp servers for now)
Resolves: #1017025
Signed-off-by: Tomas Hozza <thozza at redhat.com>
bind10.service | 4 +---
bind10.spec | 29 +++++++++++++++++++++++++----
2 files changed, 26 insertions(+), 7 deletions(-)
---
diff --git a/bind10.service b/bind10.service
index 8ff5310..830f01d 100644
--- a/bind10.service
+++ b/bind10.service
@@ -8,9 +8,7 @@ After=network.target
Type=simple
PIDFile=/run/bind10/bind10.pid
-# Don't run BIND10 as user 'named' because of DHCP server
-#ExecStart=/usr/sbin/bind10 -u named --pid-file /run/bind10/bind10.pid
-ExecStart=/usr/sbin/bind10 --pid-file /run/bind10/bind10.pid
+ExecStart=/usr/sbin/bind10 -u named --pid-file /run/bind10/bind10.pid
[Install]
WantedBy=multi-user.target
diff --git a/bind10.spec b/bind10.spec
index 1d07bf0..c7ab821 100644
--- a/bind10.spec
+++ b/bind10.spec
@@ -9,7 +9,7 @@
Name: bind10
Version: 1.1.0
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: The Berkeley Internet Name Domain 10 (BIND10) DNS and DHCP suite
License: ISC
@@ -112,6 +112,7 @@ touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-accounts.csv
touch $RPM_BUILD_ROOT/%{b10localstatedir}/b10-config.db
touch $RPM_BUILD_ROOT/%{b10localstatedir}/logger_lockfile
+touch $RPM_BUILD_ROOT%{b10localstatedir}/msgq_socket
# Package those files via %%doc
rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/{AUTHORS,COPYING,ChangeLog,README}
@@ -140,7 +141,7 @@ fi;
%systemd_post bind10.service
# if installing the package
-if [ "$1" = 1 ]; then
+if [ "$1" -eq 1 ]; then
# generate private RSA key and create certificate for b10-cmdctl if there is none
if [ ! -s %{b10sysconfdir}/cmdctl-keyfile.pem ] || [ ! -s %{b10sysconfdir}/cmdctl-certfile.pem ]; then
openssl genpkey -algorithm RSA -out %{b10sysconfdir}/cmdctl-keyfile.pem -pkeyopt rsa_keygen_bits:2048 &> /dev/null
@@ -172,13 +173,29 @@ fi
/sbin/ldconfig
%systemd_postun_with_restart bind10.service
+%triggerun -- bind10 < 1.1.0-6
+# updating
+if [ "$1" -gt 0 ]; then
+ if [ -a %{b10localstatedir}/b10-config.db ]; then
+ chown named %{b10localstatedir}/b10-config.db
+ fi
+fi
+
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%post dns -p /sbin/ldconfig
%postun dns -p /sbin/ldconfig
-%post dhcp -p /sbin/ldconfig
+%post dhcp
+/sbin/ldconfig
+
+# set necessary capabilities for DHCP4 and DHCP6 server
+# !!! this need to be removed once DHCP server are ported to use b10-sockcreator !!!
+setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE=ep %{b10libexecdir}/b10-dhcp4
+setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE=ep %{b10libexecdir}/b10-dhcp6
+
+
%postun dhcp -p /sbin/ldconfig
%files
@@ -209,8 +226,9 @@ fi
%attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-keyfile.pem
%attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-certfile.pem
%config(noreplace) %ghost %{b10sysconfdir}/cmdctl-accounts.csv
-%config(noreplace) %ghost %{b10localstatedir}/b10-config.db
+%attr(-, named, named) %config(noreplace) %ghost %{b10localstatedir}/b10-config.db
%ghost %{b10localstatedir}/logger_lockfile
+%attr(-, named, named) %ghost %{b10localstatedir}/msgq_socket
%{_sbindir}/bind10
%{_mandir}/man8/bind10*
%{_bindir}/b10-certgen
@@ -390,6 +408,9 @@ fi
%{_libdir}/libb10-dhcpsrv.so.*
%changelog
+* Mon Nov 18 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-6
+- Run BIND10 as named user (use setcap for dhcp servers for now) (#1017025)
+
* Wed Oct 09 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-5
- Run BIND10 suite as root (#1003972)
More information about the scm-commits
mailing list